Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance

Similar documents
THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

Regulatory News Alert ECB Guide to fit and proper assessments

Webinar: Deep Dive into the Role of the DPO under the GDPR

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

How employers should comply with GDPR

EU General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

The 2016 Deloitte Millennial Survey. Switzerland - Country Report 17 January 2016

EU General Data Protection Regulation (GDPR) Point of View for ERP and HRMS Operations. For private circulation only.

ARTICLE 29 DATA PROTECTION WORKING PARTY

Guidelines on the management body of market operators and data reporting services providers

Risk Based Approach and Enterprise Wide Risk Assessment Edwin Somers / Inneke Geyskens-Borgions 26 September 2017

Co/outsourcing and/or supporting of your customs and global trade management

Compliance digitalization The impact on the Compliance function. Deloitte Risk Services April 2016

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

Date of review: Policy Category:

Anti Money Laundering (AML) Advisory Services Effective solutions for complex issues Deloitte Malta, 2017

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

Fraud, bribery and corruption Protecting reputation and value

Information Governance Policy

Assessment of the effectiveness of the audit process

Cultivating a Risk Intelligent Culture A fresh perspective

Accelerating the Path to GDPR Compliance: Are you ready to go "live"? Seminar

Colleges and public authority status under data protection legislation

Defence Health Governance Structure

EU data protection reform

WSGR Getting Ready for the GDPR Series

ECDPO 1: Preparing for the EU General Data Protection Regulation

GDPR Compliance Checklist

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

Data protection (GDPR) policy

Sustainability reporting using the GRI Taxonomy

A questionnaire for senior management

2017 Millennial Survey Russia. January 2017

Health Service Executive

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

UNIVERSITY OF ST ANDREWS STUDENTS ASSOCIATION STAFF DISCIPLINARY PROCEDURE

Audit Committee and other Board Committees Roles and responsibilities under the Companies Act, 2013

The General Data Protection Regulation: What does it mean for you?

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

Funds in a Box Solutions Factsheets and on-line Fund Profiles. Funds in a Box Solutions Factsheets 2.0

2017 Millennial Survey South Africa. January 2017

VOLUNTARY CODE OF CONDUCT IN RELATION TO EXECUTIVE REMUNERATION CONSULTING IN THE UNITED KINGDOM

SREP Transformation The Deloitte approach. Deloitte Malta Risk Advisory - Banking

Data Protection Policy

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

New market mechanisms for renewables in Poland. Opportunity or threat?

The Report of the Audit Committee Analysing the trends in South Africa

GDPR. The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April

EU GENERAL DATA PROTECTION REGULATION

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

General Data Privacy Regulation: It s Coming Are You Ready?

Simplification of work: Knowledge management as a solution within the European Institutions

Distributed ledger technologies services. Distributed ledger technologies services Using the power of blockchain

Data Protection. Policy

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

Dexia Group Audit Charter

MKO Partners, Chartered Accountants Audit Transparency Report 2015

CORPORATE COMPLIANCE PROGRAM CHARTER

Casework Technical Support (Social Welfare - Project Management)

Lisbon, 17 May Agustín Puente Escobar State Counsel Head of the Legal Cabinet. Agencia Española de Protección de Datos

Sustainability Reporting using the GRI Taxonomy Paul Hulst, Deloitte

The Sage quick start guide for businesses

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

Governance Indexing & Screening Tool (GIST)

The General Data Protection Regulation An Overview

Grievance Policy. Version: 2.3. Status: Final. Title of originator/author: Human Resources Directorate. Name of responsible director:

Document Management for Global Trade Deloitte Academy DMS for GTS Working Slides

Caribbean Association of Audit Committee Members Inc. Independent Quality Assurance Assessment of the Internal Audit function

Getting Ready for the GDPR

Job Description. Background. Date: April No. of reports: Nil. Delegated Financial Authority: (If applicable)

Audit Committee Performance Evaluation

Section 22. Scope of section. Accreditation. Eligibility Criteria

4A s Client Audit Guidance

Data Flow Mapping and the EU GDPR

Securing tomorrow today Improving the process of VAT compliance and return preparation

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

Dun & Bradstreet (Australia) Pty. Ltd

Information Governance Strategic Management Framework

Staff Code of Conduct (Version 1.0)

Breaking the myth How your marketing activities can benefit from the GDPR December 2017

Rexel Shredding. Why a paper security policy is integral to GDPR compliance.

Honorary Contracts Procedure

Annexure B Section 22

CRITERIA FOR EQUASS ASSURANCE (SSGI)

Capability health procedure for academic support staff

What is GDPR and Should You Care?

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

MKO Partners, Chartered Accountants Audit Transparency Report 2016

PSD2 DATA FINTECH MARKETPLACE AISP CUSTOMER AWARENESS ALLIANCES MOBILE ECONOMY PISP API DIGITAL COMPLY REVENUE RTS SCORING BANKING STRATEGIC

General Data Protection Regulation (GDPR) Meeting the new requirements

GoldSRD Audit 101 Table of Contents & Resource Listing

Summary findings inspection quality of statutory audits Big 4 firms

OFFICE OF THE DATA PROTECTION COMMISSIONER. Official Languages Act Language Scheme

Discipline Policy and Procedure. Adopted by the Trust Board on 6 December 2016

Job Description Assistant HR Business Partner Document Owner: Head of Human Resources & Organisational Development

Human Capital Business led. People driven.

Role Title: Chief Officer Responsible to: CCG chairs - one employing CCG Job purpose/ Main Responsibilities

The Robots Are Here! RPA Services in Greece

Transcription:

The Role of the Data Protection Officer Key points of the recent ODPC guidance and the Article 29 Working Group Guidance September 2017 00

Introduction Key points of the recent ODPC guidance, and the Article 29 working group guidance The Article 29 Working Party (WP29) adopted guidance on the role of the Data Protection Officer (DPO) under the new General Data Protection Regulation (GDPR) last April 2017. In Ireland, the Office of the Data Protection Commissioner has recently issued (dated 14/08/17) their guidance on the appropriate qualifications for the DPO role. Under the GDPR, it is a requirement for certain data controllers and data processors to designate a DPO for their organisations. This designated DPO will play a leading and crucial role in implementing an effective data protection framework that complies with the new requirements as set out under the GDPR. 01

We summarise the key points of the guidance as follows: Mandatory Designation Under Article 37(1) of the GDPR, data controllers and processors must designate a DPO in any case where: (a) The processing is carried out by a public authority or body except for courts acting in their judicial capacity; (b) the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. The WP29 has clarified some of the key criteria around the mandatory designation of a DPO as follows: 1. Record The WP29 has recommended that controllers and processors keep a record of the internal analysis carried out to determine whether or not a DPO is to be appointed in order to demonstrate that all relevant factors have been taken into account. Keeping this record also satisfies the accountability principle under the GDPR and must be considered an updateable and live document. 2. Public Authority or Body The WP29 considers that what constitutes a public authority or body is to be determined under national law and that these bodies must appoint a DPO. Furthermore, other natural or legal persons governed by public or private law (e.g. Public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulatory professions) are not obliged to appoint a DPO but the WP29 recommends it as good practice. 3. Core activities of the controller/processor Core activities of the controller or processor is understood to relate to primary activities and key operations necessary to achieve the organisations goal (e.g. Hospitals using health data to provide healthcare or security companies carrying out surveillance) and does not relate to the processing of personal data as ancillary activities (e.g. Organisations processing payroll data of their employees). 02

4. Large Scale The WP29 recommends the following factors in determining whether processing is large scale : o Number of data subjects concerned o Volume of data and/or range of different data items being processed o Duration or permanence of the data processing activity o Geographical extent of the processing activity Some examples listed by the WP29 of large scale processing are called out as the processing of patient data in the regular course of business by a hospital, processing of customer data in the regular course of business by an insurance company or bank, processing of personal data for behavioural advertising by a search engine. 5. Regular and Systematic Monitoring Regular and Systematic Monitoring of data subjects is interpreted by the WP29 as meaning: o o Regular: ongoing or occurring at particular intervals for a particular period, recurring or repeated at fixed times, constantly or periodically taking place. Systematic: occurring according to a system, pre-arranged, organised or methodical, taking place as part of a general plan for data collection, carried out as part of a strategy. Some examples listed by the WP29 of regular and systematic monitoring are in relation to all forms of tracking, profiling and monitoring of the behaviour of data subjects such as targeted marketing activities, profiling and scoring for a risk assessment (fraud prevention AML controls, credit scoring, calculation of insurance premiums etc.), location tracking etc. DPO for the Data Processor The requirements under the GDPR apply to data controllers and data processors alike but it depends on who will fulfil the mandatory designation criteria above as to whether a DPO had to be appointed. The WP20 specifically states that even if it is only the data controller that fulfils the mandatory designation, it may be good practice for the data processor to appoint a DPO regardless. 03

Designation of a single DPO for several organisations A group of undertakings may appoint a single DPO as long as that person is easily accessible from each establishment (see next point). In addition a single DPO can be appointed for several public authorities or bodies depending on their structure and size and with the help of a team if necessary. Easily accessible from each establishment The accessibility of the DPO, according to the WP29, refers to the actual tasks of the DPO as a contact point for data subjects and cooperation with the supervisory body. If there is to be a single DPO for a group of undertakings efficient communication and carrying out of key tasks is key across all languages if necessary. The personal availability of the DPO is also crucial to ensure data subjects can contact him/her. The WP29 recommends that the DPO be located within the European Union in order to be accessible but they do acknowledge that if the controller or processor is not established within the EU, it may be more effective the DPO carried out his/her activities outside the EU also. Expertise and skills of the DPO 1. Expertise According to the WP29 and the ODPC, the required level of expertise is not defined but it must be commensurate with the sensitivity, complexity and amount of data that the organisation processes. Expertise must also be taken into account if the organisation systematically transfers personal data outside of the European Union. Non-exhaustive list of considerations when selecting a training programme: the content and means of the training and assessment; whether training leading to certification is required; the standing of the accrediting body; and whether the training and certification is recognised internationally 2. Professional Qualifications Regarding professional qualifications, it is relevant that the DPO has expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR. The DPO must also have knowledge of the business sector of the organisation and understand any processing activities, IT systems, and security and data protection needs of the organisation. The ODPC recommends that organisations should proactively decide on the qualifications and level of training required for the DPO and further recommends that the following nonexhaustive list be taken into consideration when selecting a training programme: 04

3. Ability to fulfil its tasks Ability to fulfil its tasks refers to the integrity and high professional ethics of the individual named as DPO as well as enabling and fostering compliance with the GDPR and data protection through elements such as the principles of data processing, data subject rights, data protection by design and by default, record keeping of processing activities, security of processing and breach notification and handling. 4. Appointing the DPO on the basis of a service contract Appointing the DPO on the basis of a service contract can be concluded with an individual or an organisation outside of the controllers or processors organisation ensuring that there are no conflicts of interests and that such individual is protected by the provisions of the GDPR. A team of individuals can also be structured in order to efficiently serve clients as long as there is clear allocation of tasks and a lead contact and person in charge for each client. These points should be covered under the service contract. Publication and communication of the DPO s contact details This requirement under GDPR ensures that the contact details of the DPO should include information allowing data subjects and the supervisory authority to reach the DPO easily (address, phone, email address, dedicated hotline or dedicated contact form on an organisation s website). The requirement does not extend to the DPO s name but it may be best practice and is for the DPO and the organisation to decide. The WP29 recommends that an organisation informs the supervisory authority and employees of the name and contact details of the DPO as good practice. Position of the DPO The WP29 stresses that it is crucial that the DPO is involved from the earliest stage possible in all data protection matters. The DPO must be involved early in relation to data protection impact assessments. This is crucial to complying with the privacy by design requirement under GDPR. The DPO must also be part of any discussion or working groups dealing with data processing activities of the organisation. The WP29 recommend developing data protection guidelines or programmes that set out when a DPO must be consulted to ensure they are part of the decision making processes for privacy implications and that they are consulted promptly in the case of a data breach or any other privacy incidents. 05

Necessary Resources The WP29 call out the following as being necessary resources: Active support of the DPO by senior management (such as board level) Sufficient time to fulfil their duties Financial, infrastructure and staff resources Official communication of the DPO appointment to all employees Access to stakeholders such as HR, Legal, IT, Security etc. Continuous training A DPO team depending on the size and structure of the organisation Acting in an independent manner DPO s must not be instructed how to deal with a matter according to the WP29 and they must not be instructed to take a certain view of a data protection issue. The controller or processor does remain responsible for compliance however, and must be able to demonstrate compliance. If they make decisions that go against the DPO s advice, the DOP must be able to make his opposing opinion clear. Currently, data protection generally sits within compliance or other functions such as data governance or information security but the new requirements could prevent the DPO reporting into the heads of these functions due to a potential conflict of interest and the requirement for the DPO to act in an independent manner. The DPO and these heads of functions could be the same person but the general thinking is that this could cause an independence and workload issue. There will therefore be some grey areas between these heads of functions and the DPO in terms of roles and responsibilities. Conflicts of interests The DPO may fulfil other tasks and duties however, these duties must not conflict with their data protection duties. The independence requirement is strengthened here and a DPO cannot hold a position within an organisation that leads him/her to determine the purposes and means of processing personal data. 06

Tasks of the DPO The DPO must monitor compliance with the GDPR. In order to do this, the DPO may: Collect information to identify processing activities Analyse and check compliance of any processing activities Inform, advise and issue recommendations Data Protection Impact Assessments: It is the task of the controller to carry out data protection impact assessments but the DPO must assist and provide advice to the controller in terms of whether or not to carry out an assessment, the risk-based methodology to use, mitigating controls and whether or not it has been carried out accurately and the conclusions comply with the GDPR. Dismissal or penalty for performing DPO tasks The DPO must not be penalised for carrying out his/her duties or giving advice that the controller or processor disagrees with. Record-keeping: DPOs can be assigned the task of maintaining the record of processing activities under the responsibility of the controller. This record will be considered a tool to enable the DPO to perform its tasks of monitoring compliance and informing and advising the controller or processor. For more information on the DPO requirements under the GDPR or for any data protection and privacy questions including tailored GDPR and DPIA assessments, please contact the Deloitte Ireland Data Privacy Services team. Contact Sean Smith Partner Risk Advisory Email: seansmith1@deloitte.ie Donal Murray Director Risk Advisory Email: donmurray@deloitte.ie Nicola Flannery Senior Manager Risk Advisory Email: niflannery@deloitte.ie 07

Contact Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms. At Deloitte, we make an impact that matters for our clients, our people, our profession, and in the wider society by delivering the solutions and insights they need to address their most complex business challenges. As one of the largest global professional services and consulting networks, with over 244,400 professionals in more than 150 countries, we bring world-class capabilities and high-quality services to our clients. In Ireland, Deloitte has over 2,300 people providing audit, tax, consulting, and corporate finance services to public and private clients spanning multiple industries. Our people have the leadership capabilities, experience, and insight to collaborate with clients so they can move forward with confidence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. 2017 Deloitte. All rights reserved 08

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback